[ISN] For Windows Vista Security, Microsoft Called in Pros

From: InfoSec News (alerts@private)
Date: Tue Jan 09 2007 - 03:04:53 PST


http://www.washingtonpost.com/wp-dyn/content/article/2007/01/08/AR2007010801352.html

By Alec Klein and Ellen Nakashima
Washington Post Staff Writers
January 9, 2007

When Microsoft introduces its long-awaited Windows Vista operating 
system this month, it will have an unlikely partner to thank for making 
its flagship product safe and secure for millions of computer users 
across the world: the National Security Agency.

For the first time, the giant software maker is acknowledging the help 
of the secretive agency, better known for eavesdropping on foreign 
officials and, more recently, U.S. citizens as part of the Bush 
administration's effort to combat terrorism. The agency said it has 
helped in the development of the security of Microsoft's new operating 
system -- the brains of a computer -- to protect it from worms, Trojan 
horses and other insidious computer attackers.

"Our intention is to help everyone with security," Tony W. Sager, the 
NSA's chief of vulnerability analysis and operations group, said 
yesterday.

The NSA's impact may be felt widely. Windows commands more than 90 
percent of the worldwide market share in desktop operating systems, and 
Vista, which is set to be released to consumers Jan. 30, is expected to 
be used by more than 600 million computer users by 2010, according to Al 
Gillen, an analyst at market research firm International Data.

Microsoft has not promoted the NSA's contributions, mentioning on its 
Web site the agency's role only at the end of its "Windows Vista 
Security Guide," which states that the "guide is not intended for home 
users" but for information and security specialists.

The Redmond, Wash., software maker declined to be specific about the 
contributions the NSA made to secure the Windows operating system.

The NSA also declined to be specific but said it used two groups -- a 
"red team" and a "blue team" -- to test Vista's security. The red team, 
for instance, posed as "the determined, technically competent adversary" 
to disrupt, corrupt or steal information. "They pretend to be bad guys," 
Sager said. The blue team helped Defense Department system 
administrators with Vista's configuration .

Microsoft said this is not the first time it has sought help from the 
NSA. For about four years, Microsoft has tapped the spy agency for 
security expertise in reviewing its operating systems, including the 
Windows XP consumer version and the Windows Server 2003 for corporate 
customers.

With hundreds of thousands of Defense Department employees using 
Microsoft's software, the NSA realizes that it's in its own interest to 
make the product as secure as possible. "It's partly a recognition that 
this is a commercial world," Sager said. "Our customers have spoken."

Microsoft also has sought the security expertise of other U.S. 
government and international entities, including NATO. "I cannot mention 
any of the other international agencies," said Donald R. Armstrong, 
senior program manager of Microsoft's government security program, 
citing the wishes of those agencies to remain anonymous.

Microsoft's concerns extend beyond the welfare of its software when it 
seeks the security expertise of government agencies. "When you get into 
an environment where a Microsoft product is used in a battlefield 
situation or a government situation where if a system is compromised, 
identities could be found out," and it could be a matter of life and 
death, Armstrong said.

Other software makers have turned to government agencies for security 
advice, including Apple, which makes the Mac OS X operating system. "We 
work with a number of U.S. government agencies on Mac OS X security and 
collaborated with the NSA on the Mac OS X security configuration guide," 
said Apple spokesman Anuj Nayar in an e-mail.

Novell, which sells a Linux-based operating system, also works with 
government agencies on software security issues, spokesman Bruce Lowry 
said in an e-mail, "but we're not in a position to go into specifics of 
the who, what, when types of questions."

The NSA declined to comment on its security work with other software 
firms, but Sager said Microsoft is the only one "with this kind of 
relationship at this point where there's an acknowledgment publicly."

The NSA, which provided its service free, said it was Microsoft's idea 
to acknowledge the spy agency's role.

The NSA's primary mission is signals intelligence -- monitoring the 
communications of foreign powers, terrorists and others. But its 
secondary objection is "information assurance," under which the security 
of Microsoft's operating system falls.

Industry observers suggest that both the NSA and Microsoft have good 
reason to disclose their relationship. For Microsoft, the NSA's 
imprimatur may be viewed as a vote of confidence in the operating 
system's security.

"I kind of call it a Good Housekeeping seal" of approval, said Michael 
Cherry, a former Windows program manager who now analyzes the product 
for Directions on Microsoft, a firm that tracks the software maker.

Cherry says the NSA's involvement can help counter the perception that 
Windows is not entirely secure and help create a perception that 
Microsoft has solved the security problems that have plagued it in the 
past. "Microsoft also wants to make the case that [the new Windows] more 
secure than its earlier versions," he said.

Armstrong, the Microsoft manager, said: "The entire crux of Vista was 
security. . . . Security is at the forefront of our thoughts and our 
methods in developments and is critically important to our customers."

Copyright 2007 The Washington Post Company


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Tue Jan 09 2007 - 03:19:07 PST